Transcription by ESO. Translation by —
Thank you for watching.
Thank you for watching.
This is a quite wonderful little way for manufacturers
because what it does is it lets them manufacture one single product
and yet with jumper pads or zero-ohm resistors or even EEPROMs,
they can easily...
They can easily reconfigure it for other more expensive models.
This means they only have to make one model at one cost
and then, of course, they choose whatever price they want to make for
all the different ones with more advanced features or things like that.
SIDCO boxes are, of course, something that everyone is familiar with.
You've probably read the modification facts on it,
text documents, or even done it yourself.
This covers a lot of the different...
things I'm going to be discussing.
And one thing I should warn you is, bear with me,
because this is the first time I've ever been making a presentation in front of anyone,
especially an audience this big.
So I'm going to suck.
I'm already going to warn you about that.
One of the first things to do if you're trying to figure out
what mods are available for your particular device you've chosen...
Oops, spelling error.
Oh, well, bear with it.
Any special features on models that look identical.
Like, for instance, the caller ID boxes.
You've got two models that look virtually identical,
yet the only difference between them is the number of calls they store.
This could give you an idea of what features are or are not available
to possibly be added or removed
for your particular piece of hardware you've chosen.
Are there any unusual markings on the plastic?
One of the things manufacturers like to do is,
when they make their cases with the plastic injection mold system,
it's a big metal mold.
And what they do is they sometimes have modular components to it
so that when they inject the plastic,
if they want to change the features as to what doors are or are not available
or openings or whatnot,
all they have to do is simply put in a block of metal in place of another one
and you now have a door available there
for buttons or a hole or whatnot
for any other models.
This is most visible on the NetClient's iOS,
and I've got the same idea.
So, I've got the door and the eye opener with the compact flash socket.
As if you look at it from the outside,
you can see small ridges from where there is a door,
even though it's a solid molded piece of plastic.
And on the inside, you can see the holes drilled in the side
for where the door snaps into place,
if they ever made that into any of the eye openers.
Are there any big, empty, and unused spots on the case?
Or whatever external case it is?
Sometimes, what they do is,
you'll find, like, let's say a VCR, for example,
will have a big, open panel on it,
a play and a stop button,
and over on the other side, a power button.
There will be a big strip of absolutely nothing there.
There could possibly be something added
or made available for that,
which I'll cover that here shortly.
With big, open areas, those are physical things
such as displays, lights, all sorts of stuff.
And also, one of the other things I'm going to be talking about,
one of the other things I'm going to be talking about,
that I used to look for is LCD displays.
Or other gas plasma displays, vacuum fluorescents.
You can sometimes see characters on them available,
indicating that there are possibly certain features there,
such as with,
it could be that they used the same display
for several different models,
inside of the embedded chip, the main CPU for the device.
There might not even be the ability there added
for whatever number of calls you want to have,
for a caller ID by the way,
or other additional features such as ham radios
or things of that nature.
The reason why LCD displays can see that
is because LCD displays are meant to be viewed
like in the top picture,
looking straight down with the light source
either behind you or around you with ambient light.
If you look at it at a very shallow angle,
you can many times see additional characters
made the contrast of them made more visible.
So you can see what other features are there,
segments of LCD displays for numeric characters
or other certain features,
such as little funny little symbols
like some of the people who make ham radios
and cell phones and stuff like to put in.
I had a much nicer picture until I lost it,
so I kind of put together a quickie here.
You can view the cylinder-like shape
or splice of the display
which is supposed to be the liquid crystals.
How this works is light is sent through
the first piece of polarizing glass
and turns the light basically into a vertical polarization.
The liquid crystals distort that vertical polarization
and allows it to become pretty much non-polarized again.
It then passes through the rear one
which has horizontal polarization
and is reflected off a rear reflective material of some kind
where it then bounces back through
and allows you to pretty much see
what looks like a light display
or a light character.
When electricity is applied
on a thin metal coating
on the surface of the LCD display,
the liquid crystals line up
and polarize themselves
and keep from depolarizing
the light that passes through it,
at which point the light will not be able to pass
through the rear filter
and because the light cannot be reflected
off the rear display,
the end of the reflective material,
it ends up,
looking dark.
The thing is,
by lowering the voltage,
the liquid crystals do not properly polarize themselves
and the end result
is that the display looks somewhat faded
or a light shade of gray,
basically grayscales,
like what the Game Boys do,
various other displays like the Palm Pilot,
if you program in for using the grayscale functions.
The thing about it is,
even when the display segments are wired to the CPU
and are not being used,
a small amount of trickle voltage
is going through that,
changing that polarization slightly.
If you hold it up to the light
to look through it like that first picture I had,
when the power is not applied,
you'll barely see anything at all.
You might see the metal coatings,
but you wouldn't see anything else.
But when the small trickle voltage flows through it,
the special characters
that might not be normally available
will be considerably more visible.
So that way you can identify
just basically by its looks.
One thing to do when opening it up
is keep all the screws separate
and what I always do
is put down a piece of paper
and mark what pattern the screws went in
and what holes
for whatever device you're opening,
whether it's a VCR
or a television set
or whatnot.
Because many of these screws
are different for each and every socket
and I've seen a lot of people
throw them all into the same little bowl
and then try to figure out afterwards
what screw holes those go back into.
Such a pain in the butt,
so it's best to keep them all separate.
In the first place,
when you're trying to open it up,
do not force it
if it's snapped together
and just won't come apart
because you will break
the parts of the molded plastic case
that are usually snapped together.
That happened with
my first SIDCO caller ID box I owned.
As many of you probably have done,
broken the little snaps
at the foot of it.
And also,
if the case gets stuck on anything,
do not force it apart as well
because you can damage it.
They use cheap plastic
that is easy to break.
On the circuit board,
you can look for
possible points
where it can be modified at.
Usually it involves a blob of solder
of some kind,
such as on the caller ID boxes,
that all you have to do is,
because of the resonant flux
that's already on it
from the original manufacturer,
just touch a soldering iron to it
and that will pretty much
break the contact
and just add solder
to reconfigure it again.
Open solder pads
that are abnormally shaped
relative to the rest
of the surface mount components.
You'll find that
when you look at
many circuit boards
that have the solder pads on it
that are open with nothing there,
the surface mount components around it,
such as the diodes
and transistors and stuff,
will usually have a different size
and shape
than the ones that are meant
to just have a blob of solder
to close it shut
to simply short the circuit.
This is
one of the other most common
things as well.
Look for whole rows
of zero-ohm resistors.
Many times,
zero-ohm resistors
are used in place
of blobs of solder
because they look like
any old surface mount component.
And people will look at that.
Many people who don't know
how to read the numbers
off the surface mount components
will look at that
and think it's just
a regular resistor
or diode
or something else
and not think about
possibly removing that.
Rows of identical diodes
or resistors.
Usually,
the diodes are used
for things
I found them used
in ham radios
and police scanners
quite a bit.
I'll have pictures
of those
coming up here shortly.
One of the things
you're doing
is when you find
a whole bank of them
to go through,
one of the tricks
I found
which is really good
is gray logic.
It's used for
motor sensors
and various other things
and is a different form
of the regular binary logic
which many of you
people have seen.
Touching wires
together
is one of the other
most common things
that I found very useful.
Take pieces of wire,
solder them straight down
onto the pads
that go up
and simply touch them together
or twist them together
or short them together.
That way,
you only solder it twice
to put the wires on
and to take them off.
And that way,
you can go ahead
and adjust
the configurations
and combinations
as many times
as you want.
Or,
if you're going to have to do it
for an extended period of time,
I also install
one of those banks
of dip switches
that are commonly used
in some of the
jumperless motherboards
and various other components
such as some of the older
ISA cards.
Grade code
looks like this.
And
the reason why
it's shaped as it is
is obviously
to simplify the design
and also,
as you can see,
each and every time
the state changes,
only one single bit
changes
between states.
This means
when you're soldering it,
a lot less work.
Because for this
number of combinations,
for
16 different
combinations,
you only have to solder
it about 16 times
to get back to
where it was
at the original factory default.
Where if you use
regular binary code,
you pretty much
find yourself soldering
a whole lot of times
and in between 7 and 8,
as you can see right there,
you'd have to solder
every single pad
at the same time.
And the more soldering
you have to do
means the more heat
on your circuit board.
That means you can't
actually delaminate
the circuit material itself
and take the traces
right off.
There are all sorts
of hidden features
in TVs,
VCRs,
and other home
electronics devices.
These range from
various models
that have stereo,
region coding
on some DVD players,
possibly.
I haven't had
too much experience
with that since DVD players
are still a little
on the pricey side.
I don't want to rip apart
a 200-piece of
electronics gear
just to find myself
screwing it over.
I think you people
can sympathize with that.
This is the inside
of my RATE 715
DVD player.
And all over
the board,
ranging from
on this side
that's by here,
here,
here,
and also right here,
here,
and here,
on the board
there are whole banks
of zero-ohm resistors.
I haven't yet attempted
to figure out
what those do
because,
as you can see,
a lot of electronics
components are missing
from it,
which I'd have to add,
which are usually
available only
on European models,
such as for the
SCART connector
and also for the
Dolby AC3 output.
And by enabling
those features,
the device might not
even work or boot up.
And also,
I just bought the thing
as well,
so I am not going
to mess with it.
But it gives you
something to look at.
Here's a close-up
of around the ROM chip
and with the CPU
up here.
This is one bank
of zero-ohm resistors.
This is another bank.
And here's another bank.
Those are probably
the ones that configure
various things,
such as what hardware
is and is not
installed and available
on it.
Another thing to look
at right here
is, as you can see,
this connector that goes
to the faceplate
has certain pins
missing from it.
I followed the traces
and discovered that's
for audio output.
Audio-video outputs
are right on the front
of the player itself
for connecting to
a stereo system
or something like that,
which I've found
on other...
I've seen those
on pictures of other
RAID 715 DVD players.
So you could get yourself
another audio output
by actually wiring
those up,
which could be useful
if you have a crammed
stereo system.
Another thing to look for
is, as I mentioned earlier,
VCRs.
When I first got into
figuring out hardware mods,
one of the things I did
was I decided to look
at one of my VCRs
that I had,
which I'd pulled out
of a dumpster
and fixed up.
I was too cheap
to go out and buy one.
I don't think many people
can sympathize with me.
Also, it's fun to fix up
something yourself.
One of the things I did
is it only had a play,
a stop,
and a power button.
No record,
no sound,
no speed adjustments,
no nothing.
I couldn't even rewind a tape
except for playing it
all the way to the end
and letting it rewind
automatically.
So I took off the faceplate.
Yeah, wonderful design, huh?
So I took off the faceplate
and what I found
was that on the circuit board
right behind the display,
there were through holes
drilled in the circuit board
and pads
and the locations
to solder on
all the additional buttons
for fast forward,
rewind, etc.
So I'm like,
hmm.
After some experimentation
with the best way
to implement it,
I ended up screwing up
the faceplate considerably,
drilling lots of holes
through it.
So I went out
and got a big chunk
of aluminum sheet metal,
drilled holes through it,
put your regular
through hole
push buttons,
a cheap pack of
$1 ones from Radio Shack,
and had myself
a full set of buttons
and a nice tricked out VCR.
That served me
for several years
until I turned around
and gave it to a friend
who had ended up
dying last year.
Aww.
On chips,
one of the things
to look for
is on small embedded chips
such as telephones,
radios,
remote controls,
pretty much almost anything
that has a small single chip
that can be reused
for other things
such as other models of VCR
or TV remote controls
or the small simple things
is unused pins on them
can enable you
to do all sorts of things
especially if
they're not wired to anything.
Why they use these
is it's less engineering,
less work for them,
and also it means
faster certification as well
since some of these devices
have to have FCC approval.
What I'm going to use
for an example
is a DTMF chip
which is on
this small touchtone encoder here
which inside of it
I decided to want to add
the A, B, C, and D keys
one day.
What I did is I studied it
and what I found is
this pin, although it should be
for the fourth column,
was not.
The fourth column was
all the way up here.
This is pretty common
to find unused pins
all over the place.
Usually these won't even have
traces running to them.
They'll simply be soldered
to the board
just so that the chip
is all the way down.
What you can do is
short the wires together
or in this case
cut the trace
on the board
and rig up a slide switch
which is what I did with mine
so that I can switch
the columns
back and forth
for the...
Yes, sir?
Do you like to
do that experimentally
or do you like to get
the data sheets
from manufacturers?
No, that's a good point.
One of the things
you can do to find these
the information on what pins
are or are not used
is to get
as this individual
mentioned there
get the data sheets
from the manufacturers.
Sometimes these are made available
sometimes they are not.
In this case
for this UM chip
I have not been able
to locate the specs on it
and I had to figure that out
on my own.
Which with the way
it was designed
the wires simply run straight
to both vertical
and horizontal
across the board
and are shorted together.
So all I had to do
was take a paper clip
and short the appropriate pins
until I found
the fourth column.
It might be more complex
for other devices
but for simple things
like telephones
for adding for example
redial buttons
flash buttons
even possibly memory buttons
which are not available
on your small cheap phone
you could be able to add them
if you find unused pins.
On embedded chips
there's all sorts of different ways
they can be configured
for the various jumper settings
like I pointed out earlier
with the caller ID boxes
for the hardware configurations
for the components.
They could have diodes
between them
they could be tied directly
to the 5 volts supply
to tie them
high or straight to the ground
to tie them low
they could even be
not soldered to anything at all
in order to disable them.
They could have diodes
in either direction
it all depends upon
how the chip was designed
in the first place.
As to how to find this out
you can contact
the manufacturer
who had originally made the chip
especially if it's
a commonly available one
that is meant to be used
for all sorts of devices
and get the data sheets on it.
Zero ohm resistors
I found they come in all sizes
I've had very large ones
almost the size of my pinky fingernail
all the way down to
extremely small ones.
Usually I found them to be black
with zeros printed all across it
or green with zeros all across it
or even blank.
And even I found a few blue ones
as well
that are totally blank
and have zero ohms of resistance
and they are not capacitors
or diodes
I've checked them all over.
So they could look like
almost anything.
Surface mount diodes
come in all sorts of shapes
sizes and colors as well
and
ranging from
the cylindrical kind
that is glass like the old kind
with the through hole leads
all the way up to surface mount ones
even three lead ones
that have both the anodes
tied together
and the cathodes
tied together at one end.
Although those aren't very common
you do find them here and there.
It's used for configurations
such as in a few models
of ham radio.
One of the most common places
I've found these to be used
all over the place
is for radio scanners
and police scanners.
As many of you people
out there know
for how to modify
police scanners
to let them do cell phones
or things like that.
Solder pads
zero ohm resistors
diodes and loops of wire
are also
extremely common.
The loops of wire one
is a pretty interesting one
I'll point out later.
Undocumented pins on the CPU
as mentioned earlier.
There's also secret codes
you can enter in on the keypad
on a few models.
And even computer interface systems
are another vulnerability
to let you enable
your piece of equipment
to do all sorts of other
interesting little things.
For ham radios
and police scanners
as mentioned earlier
solder pads
zero ohm resistors
diodes
and now loops of wire
are used.
Loops of wire were actually
kind of short lived.
Don't know if they're still there or not.
The reason why loops of wire
were used is because
it was meant to be performed
by the user
after it was sold.
The Uniden Corporation
is the one who made
the Pro 2026.
That has a small number of
loops of wire
right behind the display
labeled L201.
It's just a single arch
that comes right off
the small daughter board
right back down.
You take that wire
cut it
reassemble your
police scanner
reset it
and presto.
You now have
the ability to listen
to cell phones.
It's kind of the ham radio
the scanner company's
way of
thumbing their nose
at the FCC
when the FCC said
you cannot have
cell phone anymore.
They said okay
our radios will be sold
with cell phone
frequencies.
It's currently blocked.
But of course
all you have to do
is remove the certain
component as opposed
to adding it
and you can now
get cell phones back.
Then the FCC turned around
went to them and said
nope you can't even
make your scanners
modifiable
so you can't modify
them anymore.
Unless you replaced
the CPU with one
from a European model
or just went out
and bought a European
one overseas
that already had
the ability to listen
to those bands.
Elinko ham radios
are another common one.
On the base models
you cut the yellow
loop of wire
and then reassemble
it and reset the radio
and now you can both
transmit and receive
out of band
depending upon the model.
It will depend upon
what frequencies you have.
Same thing with
the handheld models
they have two loops of wire
both a red and a blue one.
Cut the blue one
you can now receive
out of band
which usually includes
things like
just about
10-20 MHz
both above and below
the ham radio band
depending upon
if it's 2 meter
or if it's 70 centimeter
and you cut the red wire
and you can now
do Mars cap as well.
You can also
with many of the Elinko ones
when you enable
the out of band reception
you can now listen to
AM aircraft frequencies
as well
indicating a whole new
stage of circuits
which normally
would not be used
inside the radio.
And also of course
everyone's familiar
with the Yaesu FT-50
who here isn't.
It has one single
blob of solder
behind the keypad.
Remove the keypad
remove the solder
reset the radio
it's modifiable.
In many cases
the ham radio companies
actually want
the customers
to be able to
modify the radio
themselves.
A few companies
with certain models
would actually
send you out
the various components
you'd either add
or remove
and give you instructions
on it
if you proved
you had a Mars cap permit.
What that would
let them do
is that would
remove the work
from them.
Since 99% of the time
the mod would work
quite well.
And of course
if it didn't work
what you could do
is contact them
send it in
and they will service it
under the warranty
even though you've
opened it up
and modified it
as long as you can prove
you have the Mars cap permits.
For radio scanners
the Pro 43
shows some of the
most common
jumpers
and configurations
out there.
Diode 1
either enables
or disables
the key lock switch
I think this was
probably added
for OEM use
for ones that
they would not
want to have
the keypad
modified
or touched
or anything like that.
So it would just be
stuck at certain frequencies.
Diode 2
would enable
the 30 to 54 MHz
coverage
if it was there
you can listen to those
and tune to frequencies
within that band.
If it's removed
you cannot listen to stuff
within that band.
Same thing with Diode 3
which for Europe
30 to 54
is television signals
over there
while here in
the United States
66 to 88 MHz
is television signals.
So there's no point
in tuning in
those frequencies
so that's why
they can configure
between those two
for the different markets.
And by putting in
both diodes
in those locations
you can tune in
both areas
of those frequencies.
Diode 4
would either block
the cellular bands
or allow the cellular bands.
And of course
they'd make it
so that all you had to do
was remove the component
quite conveniently
and you could now
listen to such frequencies.
With surface mount components
most people would either crush
or destroy the component
on the board
without having to get out
a soldering iron
or
actually take the time
to desolder it
and place it into
another location
to enable
it to work.
For instance
66 to 88 MHz range.
On most other
ham radio
on most other
police scanners
there's a single diode
in place of diode 2
and diode 3
that either switches
between the
30 to 54 MHz range
or the 66 to 88 MHz range
whether it's
there or not.
The only problem
with listening to
these frequencies
is
when comparing
to 30 to 54 MHz
or the 66 to 88 MHz range
is the electronics
are not designed
to tune in
66 to 88 MHz
so you can listen to stuff
there
if someone is
actually transmitting
there
but the reception
will be quite poor
without a lot of readjustments
and a lot of replacement
of the components.
But still
it's just nice
to have that feature added.
And of course
diode 5
would change
the stepping range
of the cellular
telephone frequencies.
In Europe
since the cell phones
use a totally
different frequency plan
what they do is
for that area
they would have
12.5 kHz steps
in between
the frequencies.
So you can listen
to
the frequencies
or whatever
they would have
over there
depending upon
your area
or what not.
But in America
they use 30 kHz steps
for the analog cell phones
in those frequency bands.
The thing about that
is they'd want
to have
the frequency
jumps in between
the two frequencies
for the stepping range
configurable
for the various markets.
Another idea
with sticking
the wires
straight onto
the solder pads
or whatever
configuration point
and sticking them up
and touching them
together is
you can touch
together combinations
of resistors
diodes or what not
that were not meant
to be crossed over
to possibly make
use of various
bugs within
the firmware
designed inside
the chip.
With the Pro43
when you add a diode
and cross it
between
the cathode
of diode 1
to the anode
of the slot
for diode 5
when you step
up or down
the police scanner
will now jump
very large steps.
This would
override
and jump over
the frequencies
that would normally
block at each end
of let's say
the 66 to 88
megahertz range.
When it tries
to go below
66 megahertz
it will automatically
skip over
to the next
frequency
that would be
available
either below
or above it.
But
because it's now
jumping over
that frequency
by stepping
in a manner
that would be
larger than it's
supposed to
it jumps straight
past that blocking
as if you got
a signal
and saved
the frequency
wherever you wanted
to.
This will let you
open up the entire
police scanner
from 0.5 mega
from 0.5 kilohertz
all the way up
to 999.995
megahertz.
With the Pro23
25,
46
and 51
handheld scanners
which were made
by Uniden
along with various
other Uniden radios
depending upon what
you're using
there's all sorts
of keypad tricks
for holding down
buttons on it
and turning it
down.
The instruction
book actually says
hold down the 2
the 9 key
while turning down
your power
and the radio
is totally reset
all your frequencies
are lost.
But if you hold down
2, 9
and the lockout
keys when turning
on
you now erase
all the memories
and you fill
the memory banks
with 1 through
25 of test
frequencies.
2, 9
and manual
does totally
different test
frequencies than
2, 9
and lockout
and only 1 through
7 are filled
with these test
frequencies for
workbench use.
2, 9
and the band
button or 2, 9
and the monitor
button will do
a display test
which will cycle
through all the
various characters
on the display
useful if you've
ripped the thing
apart or rebuilt
it or somehow
fixed it up
combine it with
other parts
and see if the
display works
properly.
The cool thing
about the 2,
9
and lockout
is as I stated
before with the
Pro 43
when it jumps
outside of its
normal range
you already get
frequencies right
here that are
outside the range
that those are
supposed to be able
to tune on these
scanners.
So without even
opening it up
without even
hardware configuring
it or anything
like that you
already have frequencies
that are outside
the normal range.
So you can
search up or
search down
and it'll already
be inside those
bands and you
could go to the
extremes of it
and store those
frequencies elsewhere
in other memory
areas.
14, 15 and 16
are in the 66 to
88 megahertz
range and 23
as you can see
is within the
cellular telephone
range.
That will let you
listen to cell phones
all you have to do
is go to the upper
and lower limits
and you could
pretty much have
a blast
listening to whatever
analog cell phones
all together.
For ham radios
some of the most
common ones are
the Mars cap
which is extended
transmit abilities.
Certain forms of
extended reception
such as AM aircraft
like with the
Elinkos.
Cellular VHF
UHF and even
800 megahertz
with some radios
they would actually
ship them with
the 800 megahertz
range allowed
and all the
electronics necessary
to tune it
and all you have
to do is clip
a wire or otherwise
change in diode
configurations and
resistor configurations
and you can now
listen to 800
megahertz.
The reason why
they even do this
is because in order
to receive out of
band it requires
further FCC approval
and certification.
So they ship it
purposely crippled
and let the user
modify it to enable
those added features.
They say well it's
not FCC approved
though but I
seriously doubt the
FCC is going to raid
your place and kick
down the door
because you're now
listening to the
police on 155
megahertz which is
outside your ham radio
and they'll arrest
you for that kind of
stuff.
Features for specific
countries such as
their transmit and
receive ranges,
repeater tone control,
repeater offsets and
various other features
for specific countries
and for the model
configurations there
are certain pieces of
hardware that are or
are not available such
as with some of the
radios the 800
megahertz range,
dual band such as
70 centimeter versus
2 meter which as
they'd use the same
CPU but certain pins
would tell the CPU
that you're not
using the same
what model of radio
it's in indicating
what frequencies you
can tune into.
Mars CAP as many
of you people out
there have probably
modified ham radios
know is a feature
which many of you
as an acronym many
of you people have
heard but still don't
know what it means.
Military assisted radio
service is what Mars
stands for.
It's a service that
where ham radios users
apply their services
and apply their
hardware to patch
telephone calls in
wartime emergencies,
disaster areas and
things like that.
Civil air patrol was
started back in World
War II with civilian
aircraft spotting
German U-boats off
the east coast and
they're still used
nowadays.
You never know when
it might be needed
if we ever go to
nuclear war someone
might need to spot a
nuclear bomb 30 seconds
before it hits the
ground.
Search and rescue is
also what it's used
for as well which I was
about to cover.
A friend of mine is
in as well.
And these bands are
generally 130 to 170
megahertz or 115 to
170 megahertz,
sometimes more,
sometimes less,
depending on what the
ham radio companies
decide to manufacture
in.
One of the other
things I've found is
especially if you're
into Mars CAP like a
friend of mine is and
needed to modify one
of his ham radios,
he frequently loaned it
to someone else and was
constantly afraid of
this person using and
abusing the out of band
transmit abilities which
of course he wasn't
supposed to let that
person use it.
With many of these
ham radios you have to
reset the radio with a
keypad combination or
something like that in
order to complete the
modification.
So what you do is you
modify the hardware,
cut the wire,
remove the diode or
what not to actually
modify it,
reset the radio and
then unmodify the
hardware.
But don't reset the
radio for that last
final little stage.
That would pretty much
not finalize the mod and
it could still work in
the Mars CAP range but
all you have to do is
reset the radio and the
radio is now restored
back to its original
factory configuration.
And you can go ahead and
loan it out to your
friend at that point and
let him use it without
the ability of him to
abuse it.
One of the things out
there that I have found
is software hacks.
So if you have a
computer that has a
with many of the ham
radios and radio scanners
having computer interfaces
available for them,
this lets you do all sorts
of really interesting
things, which with many
of the early radios you
could actually take
advantage of this, such
as with the FT50 for
example.
What you can do is
hex edit the saved data
files in the case of if
the saved data file is
basically a direct memory
dump of all the
information inside the
radio scanners, either
RAM or EE or a
EEPROM memory, and just
dumps it all out as a
computer file is what the
software does.
You can then go in
with the hex editor change
various information such as
letting you go out of
band or things like that
and then re-upload it to
the radio.
This can also be used
for hardware configurations
and whatnot.
You can intercept or
emulate the data transfers
by writing your own custom
software to let you do
these various things.
Or even, if it's possible,
direct edit the device's
EEPROM or RAM memory with
an in-circuit reader
writer.
Of course, that would
be pretty darn complex,
and I would love to see
someone out there design
that, but that's beyond
my abilities.
Blank.gif is a file I
commonly use on some of
the websites I design.
It's basically a one-pixel
by one-pixel transparent
gif.
This gives you an idea
of what a hex file looks
like when you view it, or
what a computer file looks
like when you view it in
its hexadecimal form,
which is how the computer
sees it.
For the RDF file that the
FT50 uses for the saved
data configuration, you can
see that it's a
5E3 hex.
At that specific spot in
memory is where the
configuration for the
hardware is, what country
code it's configured for.
This is also backed up at
CE7H, as well, which is
the hex addresses for
where those are.
What you can do is, these
two cannot be modified at
the same time.
You can't modify these
and send it out to the
radio, because the radio
will check that and say,
whoops, you're trying to
upload a file meant for a
totally different radio.
I'm not going to allow
that and give you a
random error message on the
display.
But what you can do is,
change the first one around,
and then upload the file to
the radio at that point.
What it would do is, the
radio will accept it, and
look only at the second one
and say, okay, I'm supposed
to accept you.
Now it will change
itself around so it will be,
for instance, if you change
it over to 2 hex, you now
have a different country
code programmed into it.
Then when you redownload
the radio, both of those
memory spots will be zero
to hex.
When it comes to saved data
files, one thing that they
like to do is put in check
sums to tell if the file is
corrupted or not, or if the
user has modified it
themselves.
As you can see, this is kind
of a simplified version of
check sums right here, which
is a simple summing method
where you add all the hex
characters up and you end up
with a single digit to tell
if it's been modified or not,
or if it's been damaged or
otherwise corrupted.
As to what kind of check
summing is used, some of the
programmers can get really
bored and use all kinds of
weird things, even quantum
math if they wanted to, to
form some hundred character
check sum.
It could happen, but the most
common find is just simply
summing it all together.
As you can see, right here
when this one goes up to 2
hex, the check sum goes up
one as well.
This is almost an instant
telltale sign that they're
just simply using the
summing method of check
summing.
And as you can see, when this
one goes up to 20 hex, this
goes up to 50 hex as well,
makes the 10 jump.
And when this one goes down
one, so does this.
All you have to do is find out
where the check sum is being
stored at by changing small
simple bits of information,
looking at where those changes
are actually taking place at
in the check sum.
At that point, you know where
the check sum is, and when you
go in and change whatever
little bit of information you
want to, what frequency or
whatnot.
Change the check sum equally
up or down along with it.
If they use a more complex form
of check summing, well, you'll
have to figure that one out on
your own.
Another form of data transfer
that they use is they don't do
a direct memory dump.
In this theoretical model, it
just simply sends out a block
of information saying I want you
to do this frequency in this
memory bank.
The advantages of this are it
can be a lot faster to upload
the information or download the
information to or from the
police scanner or ham radio
because there's a lot less
information being sent into and
out of it.
And as you can see right here,
the first one sent out is just
a simple wake up, here comes
some information, sends out the
various frequencies, sets channel
one to be the priority channel,
and sets channels one, banks one
and two to be scanned and all
others off.
Then it tells it it's all done
with the interface and go back
to normal operation.
In this theoretical model, as
you can see, these first
characters sent out are the
memory slots the radio goes into
for a 100 channel police scanner.
And then as you get down here,
other codes are sent out to give
it other bits of information.
But what happens is you actually
send out other codes like what
does A2 hex do, A3 hex, and
other things.
You can possibly get it to go
into test modes, change the
hardware or other things and
change various other forms of
configuration with it.
Direct edits of the device's
memory.
One thing you can do is such as
with the QCATs, if you really
wanted to change the serial
number, desolder the EEPROM chip
instead of decline it, and drop
it into some kind of reader
writer unit and change the
serial number to let's say 000000031337.
Another thing you can do is use
a reader writer to take the
information instead of directly
editing it inside the chip,
which is a little bit more
complicated than some will let
you do, save it as a file, hex
edit it using our existing
software to upload and download
the file from your reader writer
unit, hex edit it as before, and
then re-upload it to the chip
and re-solder it into place.
Another thing you can do with
the QCAT as well, which a friend
just told me about a half hour
before this little speech, is take
the data line when you declot and
cut that little trace on the
board, instead tie that trace
straight to the ground.
Now, although I haven't had a
chance to try that yet, he said
that theoretically it should let
it output all zeros, but I
don't think so.
Instead of giving some erroneous
information and errors in the
serial number.
Let's see the digital
convergence company try to track
a serial number with all zeros
when half the country has that.
One thing you can also do as
well is, if someone actually goes
out and takes the time to make
it, have an in-circuit EEPROM
reader writer that will let you
read and write the RAM or the
EEPROM chip or flash memory or
something like that, directly
inside the unit without having
to de-solder it and take it
out.
Of course, all this information
is covered and is basically the
same information as to how you'd
hack digital television signals
and whatnot, but it also applies
to all sorts of other little
things as well.
When you mess around with
smart cards or all sorts of
things.
One thing to do is to practice
with video game emulators, for
example, by editing the saved
game information that some of
them have.
This lets you get some
practice messing around with
checksums, hex edits, and
editing, finding locations to
actually edit, things like that.
That pretty much concludes this
little presentation of mine.
You can find this slideshow at
this website, which I have right
here, if you actually want to
view it, along with, of course,
these cute little pictures of
mine, which are also my Windows
wallpaper as well.
Although I haven't had a chance
to upload this yet because I've
been busy with various other
things here at the convention,
I hope to have this uploaded
tonight, so if you go to this
URL, like right now, you'll see
it.
It will come up with a nice
little 404 error message.
Does anyone have any questions?
Yes, you.
Could you please repeat that?
Tradezone.com?
Free Trade Zone.
Oh, Free Trade Zone.
I've never actually been
there.
Yes, freetradezone.com might
have some information as to
this.
I haven't seen it myself,
so I can't tell you exactly
what is or is not there, so
anything else from anyone?
Yes, you.
Yes, any particular
attacks against cell phones?
Cell phones.
Oh, I was going to cover that.
Cell phones, usually they have a
customized chip which has
everything built into it.
The code which is stored, which
is actually the computer program
itself, the firmware, everything
is stored on one single chip.
Many times these chips are
actually meant to be programmed
only once with certain data lines,
and then tied straight to ground
or something like that.
The memory that's used inside
them could be an EEPROM for
firmware updates if it's ever
sent back to the factory, or
it could simply be a PROM chip,
programmable read-only memory,
and meant only to have the
information sent to it once, and
you can no longer reprogram it
or anything like that.
All the other information such
as the EEPROM, which stores the
ESNs and various other serial
numbers, that is stored within
the chip itself, and usually that
is extremely hard to get to
unless you actually use it.
You can actually first modify the
code to then let you get access to
it.
So with the newer cell phones,
it's virtually impossible, unless
you know some secret trick that I
don't, but with many of the older
cell phones, especially the ones
that have the EEPROM chip
soldered separately on the board,
or have the ROM chip for the
software, such as with the OKI 900,
you can then go through, rewrite
new firmware to the ROM chip,
solder on the ROM chip, or put
it in a socket if you're lucky
enough to have a socketed OKI 900,
and then you can gain access to
changing the ESNs.
Anything else?
Yes, you.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
ones from other companies use solder pads and blobs of solder on them.
When you're directly editing the information as a saved data file with a hex editor
or however you're directly editing it, to look for the checksum,
that would be kind of hard to look for,
and you'd have to change a lot of information around
and figure out pretty much what you're doing.
Another thing you can also do is find configurations from friends in foreign countries
and compare the information together to figure out exactly where this information is stored at
and what bits and bytes change here and there.
It can be a lot of work figuring out where this information is stored at, though,
but, of course, that's part of the fun of it as well.
Yes?
Have you ever fried something by changing around the configurations?
Not yet, but, of course, I'm going to one of these days.
So that's one thing to keep in mind.
When you fry your device, not if, but when,
years down the road,
you fry your device,
do not blame me for seeding this information into your head.
Anything else?
Yes?
Because you're working with logic-level signals,
it's not something that you would do to the chip itself,
it's something else in the device that could be damaged.
Yeah.
It's not the logic-level signals that cause the damage,
but an effect of setting the configuration.
Yes, good point.
By changing the configurations themselves,
you might not actually fry the device directly,
but you might tell, for instance, the CPU
to use a piece of hardware, a microchip that's not available there,
and it's trying to use it and could eventually burn itself out,
possibly in a matter of seconds, possibly in a matter of years.
This is a theoretical possibility, which I haven't come across yet,
but it could be possible with some of the devices
that are going to be released out in the future.
Yes?
Any modifications of POMs or the POMD system?
The POM pilot itself, no modifications that I know of,
or any of the other PDA devices,
except for adding memory.
When you add memory, usually there are no resistors or solder pads
or anything like that to configure or change the device.
The CPU just simply scans what memory is and isn't available,
adds it all up, says, okay, I've got two megs, I've got four megs,
or something like that.
There could be lots of other configurations as well and ways of doing it.
Yes?
The handspring, which has full white papers on the springboard.
Could you please repeat that?
The handspring came out with the POM operating system.
Yes?
They have a springboard on the back that allows you to attach any device that's made.
The full white papers on this is on their website,
as well as all the code tools for programming the software that you might want to make.
So you can create any device that you want and input it into the handspring.
Yes, the handspring.
For creating the handspring modules, what you can do is,
as this individual had just pointed out,
is all the specs are available for the various connectors on it,
for what memory can be added or address ranges or things like that.
With many of the sockets, they meant for people and companies
to come out with upgrades and add-ons, and this can be documented.
It might be difficult convincing them to tell you the information
because you're not some big multi-million dollar company,
but in fact some private little individual.
They'll be a lot less likely to tell you.
Anything else?
Yes?
Yes.
Yes.
Yes.
Yes.
Yes.
Yes.
Yes.
Yes.
Yes.
Yes.
Yes.
Yes, as this individual had pointed out,
one of the things is the handspring upgrade socket
is electrically seen as a PCMCI slot,
even though the card design, the socket design, the pinouts, etc.,
are shuffled around and configured differently.
So you could possibly, if you're interested in hacking the handspring,
look up the information on PCMCI slots.
Any other questions?
Anyone might have?
Any heckles?
Well, that pretty much concludes my little speech.
I hope you enjoyed it.
Thank you.
Thank you.
